Skip to content

P5.AGG.001 — Security-sensitive files are concentrated

Field Value
Principle P5 (Aggregation of Dangerous Capabilities)
Severity warn
Evidence strong
Stability experimental

What it checks

Files whose paths contain security-sensitive keywords (auth, secret, credential, migration, deploy, etc.) should be concentrated under at most 2 top-level directories per category.

Two-level detection: For repos with a flat top-level structure (e.g., Java projects where everything lives under src/), archfit also checks second-level directory scatter. If sensitive files under a single top-level dir scatter across more than 3 second-level directories, the rule fires with slightly lower confidence (0.80).

Categories checked:

  • auth: auth, authentication, authorization, login, oauth, session, jwt, rbac, acl, permission
  • secret: secret, credential, token, apikey, encrypt, decrypt, cipher, crypto
  • migration: migration, migrate, schema_change
  • deploy: deploy, infra, terraform, cloudformation, pulumi, ansible

Why it matters

P5 asks whether dangerous capabilities are aggregated and guarded. When auth logic lives in src/auth/, lib/auth_helpers/, and api/auth_middleware/ simultaneously, an agent (or human) making a security change must find and update all three locations. The probability of missing one grows with scatter.

Concentrated dangerous capabilities are easier to audit, easier to guard with stricter review policies, and easier for agents to reason about within a bounded context window.

When to care

  • Care always for auth and secret categories in any non-trivial application.
  • Care less for migration and deploy categories in monorepos where multiple services legitimately own their own migrations. Suppress per category with a rationale.

How to fix

Consolidate security-sensitive code under a single top-level boundary:

src/
├── auth/              # all auth logic here
│   ├── middleware.go
│   ├── jwt.go
│   └── rbac.go
├── features/
│   ├── billing/
│   └── users/

If the code must live in multiple packages for good architectural reasons, document the boundaries in AGENTS.md and consider suppressing this rule with a rationale.

Suppressing this rule

ignore:
  - rule: P5.AGG.001
    reason: "Monorepo: each service owns its own auth adapter by design"
    expires: 2027-01-01

History

  • 0.3.0 — introduced at stability: experimental.
  • 0.3.x — added depth-2 scatter detection for flat-top-level repos (Java, Python Django).